On 25 May 2026, the General Data Protection Regulation (GDPR) marks its tenth anniversary since its adoption by the European Union in 2016. Since coming into force in May 2018, GDPR has become one of the most influential pieces of legislation in the modern digital era, reshaping how organisations worldwide collect, process and safeguard personal data.
Before GDPR, data protection within the EU was governed by the 1995 Data Protection Directive, which had become increasingly outdated in the face of rapid digital transformation. The expansion of social media, cloud computing and data-driven business models exposed gaps in the existing framework, highlighting the need for a stronger and more harmonised regulatory regime. GDPR addressed this need by establishing a unified set of rules across Member States, enhancing legal certainty, empowering individuals, and strengthening organisational accountability.
At its core, GDPR is built upon key principles, including transparency, accountability, data minimisation and purpose limitation. Over the past decade, these principles have become firmly embedded in corporate governance and risk management practices. Importantly, GDPR significantly enhanced individuals’ rights, granting them the ability to access personal data, request rectification, obtain erasure (the so-called “right to be forgotten”), and exercise data portability. These rights have helped recalibrate the balance of power between individuals and organisations in the digital economy.
A defining feature of GDPR is its robust enforcement regime. Supervisory authorities are empowered to impose administrative fines of up to €20 million or 4% of a company’s global annual turnover, whichever is higher. Over the past decade, enforcement actions across Europe have resulted in billions of euros in fines, including several high-profile cases involving major technology firms. These actions have not only penalised non-compliance but have also driven widespread adoption of proactive measures, such as data protection impact assessments, enhanced governance structures and the appointment of Data Protection Officers.
GDPR’s influence extends far beyond the European Union. It has served as a model for privacy legislation globally, shaping frameworks such as the California Consumer Privacy Act (CCPA) and similar regimes in jurisdictions including Brazil, Japan and South Africa. For multinational organisations, GDPR has effectively become the baseline standard for data protection compliance.
Nevertheless, GDPR has not been without criticism. Smaller organisations in particular have faced challenges in navigating its complexity and administrative requirements. In addition, enforcement across Member States has at times been uneven, with concerns raised regarding delays in cross-border decision-making. There is also an ongoing debate about the regulation’s ability to keep pace with emerging technologies such as artificial intelligence, biometric data processing and the Internet of Things.
In this evolving context, the European Union has begun to supplement GDPR through a broader, more integrated digital regulatory agenda. Notably, initiatives such as the Digital Services Act, the Artificial Intelligence Act, and the forthcoming Digital Omnibus proposals signal a shift towards streamlining and modernising EU digital legislation. The Digital Omnibus is expected to refine and interlink existing frameworks, reducing fragmentation while enhancing coherence across data protection, platform regulation and digital governance. In doing so, it aims to address regulatory overlap, improve enforcement efficiency, and better equip organisations to comply with an increasingly complex legal landscape.
As GDPR enters its second decade, its relevance remains undeniable. However, the data ecosystem continues to evolve at pace. Policymakers are therefore focused on refining enforcement mechanisms, clarifying legal obligations in relation to emerging technologies, and strengthening international data transfer regimes. The integration of GDPR within a wider digital regulatory architecture, including the Digital Omnibus, will likely play a key role in shaping its future application.
Ten years on, GDPR stands as a landmark achievement in digital governance. It has transformed data protection from a niche legal concern into a central pillar of organisational responsibility and public trust. While challenges remain, its legacy is clear: GDPR has fundamentally reshaped how personal data is understood and managed. As technological innovation accelerates, its principles will continue to serve as a critical safeguard, ensuring that progress does not come at the expense of individual rights.
Contributor: Kieran Harte